Bazaar2 Monthly Report - July 2017

July was mostly focused on wrapping up things from the final development sprint, including field testing and translation. We have decided that, with the completion of Bazaar2 project, the F-Droid suite of software is ready to be called 1.0. We are finalizing a cross-project 1.0 release, so we made 1.0 alpha releases of the Android client, are preparing to launch the fully localized 1.0 website, and released the beta version 0.8 of the server/repo tools. In preparation for this big release, we also did a lot of polishing and QA work on the localization across the whole F-Droid project.

We added new tools on the server side to make it easier to build apps that have complicated setups. This is in response to issues that we worked through with Ooni Probe, VLC, and Barcode Scanner. One notable new feature is the new sudo= field, which is a place to specify setup commands that need to be run as root. Since the official F-Droid build process happens in a virtual machine guest instance (VM), each app’s build process can run commands as root without harming security. After each build, the VM is reset to the original state.

After completing the first round of user tests on Repomaker, we discovered the need for users to have a complete understanding of F-Droid and how it works. Each of the tutorials we’ve outlined for the Bazaar project will be available on the F-Droid website, and will work together to provide users with a complete understanding of what they can do with F-Droid. Tutorials include: how to add a repo, how to send and receive apps offline and how to create your own repo. The layout of the tutorials is designed to be easily viewed on desktop computers, tablets and mobile phones. This is important for our target audience. They are also designed to be easily updated by the F-Droid team when UI updates are made.

In addition to the progress on tutorials, a second round of user tests were conducted with trainers in Zimbabwe. 5 participants completed the study, hosted by our partners at Digital Society.

Objective 3 Modern App Store with Built-in Circumvention

Integrating crash and bug reporting

With the overhaul of the app details screen in the Android client, it is now a lot easier for users to find the developer’s issue tracker when they want to send bug reports. Each app has its own metadata field for the issue tracker URL. There is also a field to specify the developer’s website, in case there is general information for a set of apps from a given developer.

As for F-Droid catching any app’s crash dumps, that is only possible from a "system priv-app". The F-Droid Privileged Extension runs as a system priv-app, and is a natural place to incorporate the ability to catch crash dumps. We completed a prototype of this:

Since Privileged Extension is already included in shipping devices, and is a small package of security sensitive code, we want to be very conservative about including new features in it. The actual integration work is minimal, so it makes sense to keep crash dump interceptor as a separate prototype until it gets well tested.

Media handling

Media handling has been completed with the integration of the final piece in the Android client. This functionality is already available in the 1.0 alpha0 release.

We implemented the automated selection of "collateral freedom" mirrors in the Android client app. When the current mirror stops working, F-Droid will try the next mirror that it knows about until it finds a working one. Each time F-Droid connects to a repo, it will get the updated list of available mirrors. This will be included in the 1.0 release.

Installed apps with known vulnerabilities will now be flagged in the "Updates" screen of the F-Droid Android client. This known vulnerability information comes from the metadata downloaded from F-Droid repos. This feature will highlight vulnerable apps, no matter where they were installed from.